In the section about Point-of-Sale Intrusions, the Verizon 2014 Data Breach Investigations Report recommends to "Debunk the flat network theory" to protect POS devices. Here's what it says on page 19:

Debunk the flat network theory

Review the interconnectivity between stores and central locations and treat them as semi-trusted connections. Segment the POS environment from the corporate network

This struck me as a little odd since network segmentation is a well-known and common best practice on most networks. Also, there is a strong economic incentive for companies to segment their main corporate network from anything touching credit cards: If you segment off the parts of your network that contain credit card data, your PCI scope is limited to the segments that have credit cards. In other words, you will only have to implement PCI requirements and demonstrate compliance for part of your network, not your entire network. This can mean a huge reduction in compliance costs. Since businesses mostly follow the money, it seems hard to believe that network segmentation is not prevalent with today's retailers.

I believe that the culprit is more likely to be a bad process for change control. As networks evolve, they change organically. Even if your network segmentation was architected and executed perfectly on day one, it will have undergone several changes. I've often heard of data breaches where a firewall configuration was changed to test something and not changed back when the test was completed.

One way to solve this is to implement better change control processes, but this is hard to enforce, especially in smaller organizations where process is a much heavier burden on the organization. Even in larger organizations, people could make "quick changes" outside of the process. Therefore, it is a good idea to audit whether network segmentation is operational and effective. In fact, the new PCI 3.0 standard requires that you do this if you're using network segmentation to reduce your PCI scope.

Rapid7 Metasploit Pro can test network segmentation by sending packets between two segments, namely between Metasploit itself and a testing server. The MetaModule tests all ports between the two machines to determine which ports are open and closed. This enables you to compare "what is" to "what should be" and determine compliance with your internal security policy and ultimately with the PCI standard.

If you would like to test out Metasploit Pro's Firewall and Network Segmentation Testing MetaModule, you can get a free Metasploit Pro trial from